US9619648B2 - Behavior change detection system for services - Google Patents

Behavior change detection system for services Download PDF

Info

Publication number
US9619648B2
US9619648B2 US14519062 US201414519062A US9619648B2 US 9619648 B2 US9619648 B2 US 9619648B2 US 14519062 US14519062 US 14519062 US 201414519062 A US201414519062 A US 201414519062A US 9619648 B2 US9619648 B2 US 9619648B2
Authority
US
Grant status
Grant
Patent type
Prior art keywords
data
behavior
computing
service
via
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
US14519062
Other versions
US20160019387A1 (en )
Inventor
Alisson Augusto Souza Sol
Dragos D. Boia
Barry Markey
Robert D. Fish
Donald J. Ankney
Viresh Ramdatmisier
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Microsoft Technology Licensing LLC
Original Assignee
Microsoft Technology Licensing LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Grant date

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Abstract

A behavior change detection system collects behavior from a service, such as an online service, and detects behavior changes, either permanent or transient, in the service. Machine learning hierarchical (agglomerative) clustering techniques are utilized to compute deviations between clustered data sets representing an “answer” that the service presents to a series of requests.

Description

RELATED APPLICATION

This application is a continuation-in-part of, and claims priority to U.S. patent application Ser. No. 14/333,377, filed on Jul. 16, 2014, the disclosure of which is incorporated by reference herein.

BACKGROUND

Organizations with a large number of computers that run several different services typically monitor both hardware and software events for anomalies that can indicate security threats. To date, operational security assurance procedures are typically based on rules that analyze events for pre-defined patterns. For example, the rules may be run against logs of each computer. The pre-defined patterns can indicate a potential security threat which, once identified, can be addressed. This rule-based approach can fail to scale in at least two dimensions, thus rendering the approach difficult to flexibly implement. First, regarding rule-based implementations, such requires coding of the rules ahead of time, based on expert knowledge. This means that rule developers have to anticipate what is sought as a vulnerability. Rule developers may not, however, be knowledgeable of all potential vulnerabilities, thus leaving gaps in the approach. Second, during operation, the rule-based approach demands full scanning of all events, seeking for patterns in data or information that may have incomplete or incorrect data.

Thus, it can be difficult to achieve good or satisfactory results because such systems can typically fail to either recognize important security events, or can produce too many false positives, thus triggering unnecessary investigations.

SUMMARY

This Summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. This Summary is not intended to identify key features or essential features of the claimed subject matter.

Various embodiments provide an approach to classifying security events based on the concept of behavior change detection or “volatility.” Behavior change detection is utilized, in place of a pre-defined patterns approach, to look at a system's behavior and detect any variances from what would otherwise be normal operating behavior. In operation, machine learning techniques are utilized as an event classification mechanism which facilitates implementation scalability. The machine learning techniques are iterative and continue to learn over time. Operational scalability issues are addressed by using the computed volatility of the events in a time series as input for a classifier. During a learning process (i.e., the machine learning process), the system identifies relevant features that are affected by security incidents. When in operation, the system evaluates those features in real-time and provides a probability that an incident is about to occur.

In at least some embodiments, a behavior change detection system collects behavior from a service, such as an online service, and detects behavior changes, either permanent or transient, in the service. Machine learning hierarchical (agglomerative) clustering techniques are utilized to compute deviations between clustered data sets representing an “answer” that the service presents to a series of requests.

BRIEF DESCRIPTION OF THE DRAWINGS

The detailed description references the accompanying figures. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. The use of the same reference numbers in different instances in the description and the figures may indicate similar or identical items.

FIG. 1 illustrates an example operating environment in accordance with one or more embodiments.

FIG. 2 illustrates an example system in accordance with one or more embodiments.

FIG. 2a illustrates modeling a domain metadescriptor as xml data in accordance with one embodiment.

FIG. 2b illustrates modeling a matrix execution as xml data in accordance with one embodiment.

FIG. 3 illustrates an example recognizer in accordance with one or more embodiments.

FIG. 3a illustrates aspects of how an object feature can be collected in a specific context over time.

FIG. 3b illustrates an example of clustering the set values from FIG. 3 b.

FIG. 3c illustrates aspects of how an object feature can be collected in a specific context over a time period.

FIG. 3d illustrates an example of clustering the set values from FIG. 3 c.

FIG. 3e illustrates a computer deviation in accordance with one or more embodiments.

FIG. 3f is a flow diagram that describes steps in a method in accordance with one or more embodiments.

FIG. 3g is a flow diagram that describes steps in a method in accordance with one or more embodiments.

FIG. 4 illustrates the example system undergoing an iterative, machine learning process.

FIG. 5 illustrates the example system undergoing an iterative, machine learning process.

FIG. 6 illustrates aspects of how an example schema is mapped to an example system in accordance with one or more embodiments.

FIG. 7 illustrates aspects of how the example schema is mapped to the example system in accordance with one or more embodiments.

FIG. 8 is a flow diagram that describes steps in a method in accordance with one or more embodiments.

FIG. 9 is a flow diagram that describes steps in a method in accordance with one or more embodiments.

FIG. 10 is an example device in accordance with one or more embodiments.

DETAILED DESCRIPTION

Overview

Various embodiments provide an approach to classifying security events based on the concept of behavior change detection or “volatility.” The security events are associated with provision of one or more online services. Behavior change detection is utilized, in place of a pre-defined patterns approach, to look at a system's behavior and detect any variances from what would otherwise be normal operating behavior. In operation, machine learning techniques are utilized as an event classification mechanism which facilitates implementation scalability. The machine learning techniques are iterative and continue to learn over time. This constitutes an improvement over rule-based systems that require new rules to be authored whenever the system changes. Through machine learning techniques, the manual process typically associated with rule-based systems is eliminated. Operational scalability issues are addressed by using the computed volatility of the events in a time series as input for a classifier. During a learning process (i.e., the machine learning process), the system identifies relevant features that are affected by security incidents. When in operation, the system evaluates those features in real-time and provides a probability that an incident is about to occur.

In at least some embodiments, a behavior change detection system collects behavior from a service, such as an online service, and detects behavior changes, either permanent or transient, in the service. Machine learning hierarchical (agglomerative) clustering techniques are utilized to compute deviations between clustered data sets representing an “answer” that the service presents to a series of requests.

In the discussion that follows, a section entitled “Example Environment” describes an example environment in which the various embodiments can be utilized. Next, a section entitled “Example Schemas” describes an example schema that can be utilized in connection with various embodiments. Following this, a section entitled “Training a Recognizer” describes embodiments in which a recognizer can be initially trained for deployment in accordance with one or more embodiments. Next, a section entitled “Behavior Change Analysis for Services—Example” described but one approach that can be used to conduct behavior change analysis in accordance with one embodiment. Next, a section entitled “In Operation” describes operational aspects of a deployed recognizer and an iterative machine learning process in accordance with one or more embodiments. Following this, a section entitled “Relating the System to the Schema” provides a diagrammatic representation of how an example schema, described below, relates to the described system. Next, a section entitled “Example Methods” describes example methods in accordance with one or more embodiments. Last, a section entitled “Example Device” describes an example device in accordance with one or more embodiments.

Consider now an example environment in which various embodiments can be practiced.

Example Environment

FIG. 1 is an illustration of an environment 100 in an example implementation that is operable to employ the techniques described herein. The illustrated environment 100 includes servers 102, 103, one or more client devices 104, and a network 106 communicatively coupling the servers and client devices.

Although the client device 104 is illustrated as being implemented by a traditional desktop computer, the client device 104 may be implemented by a variety of different devices. For example, the client device 104 may be configured as a computer that is capable of communicating over the network 106, such as a desktop computer, a mobile station, an entertainment appliance, a set-top box communicatively coupled to a display device, a wireless phone, a game console, a tablet computer, a netbook, and so forth. Thus, the client device 104 may range from a full resource device with substantial memory and processor resources (e.g., personal computers, game consoles) to a low-resource device with limited memory and/or processing resources (e.g., traditional set-top boxes, hand-held game consoles). Additionally, the devices may be representative of one or more devices, e.g., the functionality provided by server(s) 102 may be implemented by a plurality of servers in a server farm, such as those represented by servers 103.

Although the network 106 is illustrated as the Internet, the network may assume a wide variety of configurations. For example, the network 106 may include a wide area network (WAN), a local area network (LAN), a wireless network, a public telephone network, an intranet, and so on. Further, although a single network 106 is shown, the network 106 may be configured to include multiple networks.

The server 102 can be configured as any suitable type of server that can provide any suitable type of service 108 that can be consumed on line. In at least some embodiments, the server or servers can be configured to operate in a so-called “cloud computing” environment. Cloud computing refers to a computing model that enables ubiquitous network access to a shared and virtualized pool of computing capabilities. Such computing capabilities can include, by way of example and not limitation, network, storage, processing, and memory capabilities that can be rapidly provisioned. Cloud computing can encompass a variety of cloud providers, as well as several infrastructure-as-a-service (Iaas) and platform-as-a-service (Paas) solutions.

Specifically, server 102 can be configured as, by way of example and not limitation, an application server that is dedicated to running certain software applications (e.g., business-related applications), a catalog server that can provide a central search point for information across a distributed network, a communications server that provides a computing platform for communication networks, a computation server intended for intensive computations (e.g., scientific calculations), a database server that provides database services to other computer programs or computers, a fax server that provides fax services for client devices, a file server that provides remote access to files, a game server that enables video game clients to connect in order to play online games, a mail server that handles transport of and access to e-mail and other communication services, a name server that provides name resolution, a print server that provides print services, a proxy server that acts as an intermediary for requests from clients seeking resources from other servers, a sound server that provides multimedia broadcasting or streaming, a Web server that allows a HTTP clients to connect in order to send commands and receive responses along with data contents, and the like. As such, the number and variety of services offered by servers 102, 103 can vary greatly.

The individual servers can include a system, including a so-called recognizer, which is designed to utilize machine learning techniques to classify security events based on the concept of behavior change detection or “volatility.” Behavior change detection is utilized, in place of a pre-defined patterns approach, to look at a system's behavior and detect any variances from what would otherwise be normal operating behavior. In operation, the machine learning techniques are utilized as an event classification mechanism. The machine learning techniques are iterative and continue to learn over time. This constitutes an improvement over rule-based systems that require new rules to be authored whenever the system changes. Through machine learning techniques, the manual process typically associated with rule-based systems is eliminated in favor of an automatically-updatable and continuously-learning solution.

A user of the client device 104 may interact with a communication module 110, which is representative of functionality of the client device 104 to interact with the network 106, and hence interact with various online services provided by servers 102, 103.

Various embodiments described above and below can be implemented utilizing a computer-readable storage medium that includes instructions that enable a processing unit to implement one or more aspects of the disclosed methods as well as a system configured to implement one or more aspects of the disclosed methods. By “computer-readable storage medium” is meant all statutory forms of media. Accordingly, non-statutory forms of media such as carrier waves and signals per se are not intended to be covered by the term “computer-readable storage medium”.

Generally, any of the functions described herein can be implemented using software, firmware, hardware (e.g., fixed logic circuitry), manual processing, or a combination of these implementations. The terms “module,” “functionality,” and “logic” as used herein generally represent software, firmware, hardware, or a combination thereof. In the case of a software implementation, the module, functionality, or logic represents program code that performs specified tasks when executed on a processor (e.g., CPU or CPUs). The program code can be stored in one or more computer readable storage media. The features of the volatility-based classifier are platform-independent, meaning that the techniques may be implemented on a variety of commercial computing platforms having a variety of processors.

Having considered an example environment in which various embodiments can be employed, consider now preliminarily, an example schema that defines data flow between modules that are described below. It is to be appreciated and understood, however, that the schema about to be described constitutes but one example of a schema and is not to be used to limit application of the claimed subject matter. Near the end of this document, FIGS. 6 and 7 diagrammatically relate this schema to the system that is described just below.

Example Schemas

The schemas about to be discussed describe the data flows through a pipeline of processing modules for the volatility-based classifier. The schemas are first described, followed by a discussion of the various processing modules and how data described by the schemas flows through the processing modules.

“UsageData” is an open schema for usage data that describes how users interact with a particular service, e.g., online service requests to a particular web site, such as search queries in Bing.com.

“UsageDataDescription” is a schema for metadata about the UsageData. The metadata describes the UsageData in some particular way.

“OperationalData” is an open schema for the operational data for the datacenter hosting the services. OperationalData can include, by way of example and not limitation, aggregated CPU utilization, network traffic, memory usage, and the like.

“OperationalDataDescription” is a schema for metadata about the operation data. This metadata describes the OperationalData in some particular way.

“UsageVolatility” is an open schema for a time series with an indicated volatility of usage data. This can, for example, be a derivative for numerical features (like number of requests) or an open string capturing classes of changes, e.g., a string to capture that there are rendering differences in a web page within the last time period.

“OperationalVolatility” is an open schema for a time series with indicated volatility of operational data. As with the usage volatility, this can, for example, be a derivative for numerical features (like CPU utilization), or any other type of data that can summarize volatility within the target interval, e.g., categorical data, binary data or even null, in case the data was not captured.

“FeatureStream” is an open schema that captures the unified and correlated aggregation of both usage volatility and operational volatility in a time series bounded to pre-defined intervals (days, hours, minutes, seconds, milliseconds, etc.).

“RecognizedEvents” is an open schema that is used for the generated recognized events. Those are the points in time when usage and operational volatility deviate from historical data, based on annotated training data.

“RecognitionScoring” is an open schema that is used for the output of the scoring process of the recognized events against a so-called labeled “ground truth”.

Having considered example schemas in accordance with one or more embodiments, consider now a discussion of the tools and processes for training a so-called “recognizer” for various events.

Training a Recognizer

This section describes how a so-called “recognizer” can be initially trained through machine learning techniques.

In the illustrated and described embodiments, the tools and processes that are utilized for training a recognizer include, by way of example and not limitation:

    • (1) a service that generates synthetic attacks;
    • (2) data streams that capture both usage and operational data;
    • (3) processor modules for computing usage data volatility and operational data volatility;
    • (4) a correlation module for computing correlation of time series streams from usage volatility and operational volatility;
    • (5) a machine learning training framework for data clustering, classification, and regression; and
    • (6) a machine learning runtime environment.

As an example, consider FIG. 2 which illustrates an example system in accordance with one or more embodiments generally at 200. The system 200 includes one or more online services 202, examples of which are provided above. In addition, system 200 includes a user traffic module 204, a synthetic attack generator 206, usage data 208, operational data 210, a recognizer 212 and so-called recognized bad traffic 214. The recognized bad traffic constitutes recognized events at points in time where usage and operational volatility deviate from historical data, based on training data described below.

The user traffic module 204 is representative of functionality associated with the user traffic with respect to a particular online service 202. Specifically, user traffic can constitute so-called “good” traffic which is typical, normal user interactions. These normal user actions would be those typically associated with how a user normally consumes or otherwise interacts with an online service. The user traffic can also constitute so-called “bad” user traffic. Bad user traffic constitutes traffic that is otherwise not normal, including attack-type traffic, malicious traffic, and other suspicious interactions.

The synthetic attack generator 206 is used to generate synthetic attacks on the online service 202. The synthetic attacks can take any suitable form and, in at least some embodiments, can be a function of the type of online service that is provided. The synthetic attack generator 206 can be used, for example, to generate special attack strings, inject attack code in various URLs and parameters discovered from various logs associated with online service. Many times, these known attacks can generate several million requests per day on an online service 202.

Responsive to the input received from the user traffic module 204 and the synthetic attack generator 206, the online service 202 produces two kinds of data—usage data 208 and operational data 210.

The usage data 208 can include any suitable type of data associated with a user's interaction with an online service. So, for example, a log can describe that a user navigated to a webpage at a certain point in time, made a query for a particular kind of cell phone, received results for the query, and then navigated to another webpage.

The operational data 210 describes aspects of the system's hardware and software operations. Such can include, by way of example and not limitation, aggregated CPU utilization, network traffic, memory usage, and the like. So, for example, the operational data may describe that a particular machine, over a period of time, went from having a first percentage of its memory free to a second percentage of its memory free.

These two pieces of data—the usage data and the operational data—are correlated and sequenced in a manner described in more detail below. Specifically, the usage data and the operational data are input to and processed by recognizer 212, as described below. The recognizer 212 utilizes machine learning techniques, as described in more detail below, to produce the recognized bad traffic 214, i.e., recognized events that constitute departures from historical behavior.

FIG. 3 illustrates an example recognizer 212 in accordance with one or more embodiments. In this example, the recognizer is described as being deployed or operational. In this particular example, the recognizer 212 includes a usage data volatility processor 300, an operational data volatility processor 302, a time series streams correlator 304, and a trained model event recognizer 306.

The usage data mentioned above is received and processed by the usage data volatility processor 300. Likewise, the operational data is received and processed by the operational data volatility processor 302. Each of the processors 300, 302 process their respective data to analyze behaviors associated with the data. That is, each of these processors performs behavior change analysis on the data that it receives. Any suitable type of behavior change analysis can be conducted. So, for example, the usage data volatility processor may note that yesterday, a user utilized the online service to conduct a search for tickets to travel to Montreal. The search produced a webpage that was further consumed by the user. Today, however, when a similar search was conducted by a different user, the system behaved quite differently by perhaps producing different search results. Likewise, during this time, the operational data volatility processor 302 may note that yesterday's operational data during this search varied meaningfully in its memory usage as compared to today's similar search.

Based on the processing conducted by processors 300, 302, the observed behavioral change is quantified using a number or value which is correlated to the deviation of the behavioral change that is observed. Any suitable quantification scheme can be used in accordance with one or more embodiments. In at least some embodiments, the behavioral change is quantified using a value between 0 and 1. Quantification of the behavioral change in this manner enables classification of behavioral changes over time. This process produces a time series with user volatility and operational volatility data. But one example of how this can be done is provided below in a section entitled “Behavior Change Analysis for Online Services—Example”.

The quantified behavioral change data is provided to the time series streams correlator 304 for processing. The correlator analyzes the data that it receives from the usage data volatility processor 300 and looks to see if any data received from the operational data volatility processor 302 indicates any behavioral change at a corresponding time. So, for example, if a usage behavioral deviation occurred at a particular time, the time series streams correlator 304 examines data from that time received from the operational data volatility processor 302 to ascertain whether operations were normal or varied in some meaningful degree, e.g., did CPU usage jump from 50% to 100%? Thus, correlation of the volatility of usage data and operational data can help to identify whether a particular behavioral deviation was even more out of the ordinary. This process produces a feature stream that captures the unified and correlated aggregation of both usage volatility and operational volatility in a time series bounded to a pre-defined interval.

The feature stream is provided to the trained model event recognizer 306. The recognizer 306 is configured to recognize, from the feature stream that it receives, normal versus abnormal behavior. So, for example, at a given time the operational data may indicate a behavioral change associated with a machine being turned off. When the correlated time series stream is examined, the trained model event recognizer 306 may note that the usage data associated with that time is normal. Accordingly, as of this time, the system was operating normally. However, the time series stream may indicate an operational data variance along with usage data that is out of the normal operating range. In this instance, this is recognized as bad traffic, i.e. a recognized event in which usage and operational volatility deviate from historical data, and a notification can be generated by the system to cause further investigation to be performed.

Behavior Change Analysis for Services—Example

Any issue in any service (security, privacy, regression, and the like) over time can be considered as a change in behavior. One example of a service is an online or Web-based service. In the approach described below, an initial behavior phase is utilized to collect an initial behavior for a service over a period of time. An exercise behavior phase is then utilized to collect an exercised behavior over a different period of time. The initial behavior phase and exercise behavior phase produce two data sets for which a deviation is computed. The deviation can indicate behavior changes and find issues or legitimate mutations.

In one or more embodiments, to compute deviations in behavior for services, such as online services, two concepts are utilized—the domain metadescriptor and matrix execution, each of which is discussed below. These concepts enable a behavior to be “built.” Other approaches can be used without departing from the spirit and scope of the claimed subject matter.

Domain Metadescriptor

A domain metadescriptor describes elements out of context. Consider, for example, applying this concept to “http://www.bing.com”, which is simply an HTML end point. One can see an example of this when extracting out algorithmic search results (e.g., blue links that appear in a search result page). In this instance, we are not taking into account environment factors such as the query, market, language, or any other parameter that can contribute at the context in which the algorithmic results gets manifested. A domain metadescriptor (MDD) is a collection of objects described in an independent context.

In the illustrated and described example, an MDD object has an extractor and a collection of features. A feature is a collection of actions. Actions examples for an algorithmic result can include: instances number, order of instances (for a particular context in which order is displayed), page position, and the like.

Let Extractor be E and Feature be F and Action be A, then an object can be expressed by:
O={(E,F(i)) with i=1 . . . n}
where F={A(i), with i=1 . . . n}.

Then a domain metadescriptor can be expressed by MDD={O(i) with i=1 . . . n:O(i) context independent}.

Modeling a domain metadescriptor as xml data would appear as in FIG. 2a (using an example describing the Bing algorithmic result). In this particular example, “algo results” (i.e. the blue links that appear in a search results page) are described. The domain metadescriptor essentially describes or defines what an “algo result” means out of context. Here, there is an extractor, features, and actions. The extractor extracts the specific object from a particular page. In this instance, the extractor extracts “algo results.” The features assist in defining what a particular behavior means for the “algo results”, i.e. the blue links. In this particular instance, the “algo results” are extracted and the behavior is analyzed. In this example, actions including color, page position for each blue link, and instances information all contribute to the behavior. In this manner, the features define properties that are of interest with respect to a particular service.

To conclude, a domain metadescriptor is utilized to describe what part of the domain behavior we are trying to examine and analyze for deviations.

Matrix Execution

Matrix execution describes an object context generator and can be thought of as describing the “question” that is going to be asked. A matrix execution puts a MDD in various kinds of contexts. A simple example using algorithmic results would be to render them for specific queries, markets, languages, and the like.

Let a context be C and expressed by C={O(i) with i=1 . . . n:O(i) context dependent}. Then a matrix execution can be expressed by MTX={C(i), with i=1 . . . n}. And, subsequently MDD is subset of C. The MTX can be thought of as the mechanism that consumes an MDD.

Modeling a matrix execution as xml data would appear as indicated in FIG. 2b (using an example generating Bing contexts). In the illustrated and described example, matrix execution is built on using dynamic parameters. Each parameter is going to replace one variable from the endpoint value. In this example, there is a parameter “query” having values “microsoft” and “johann sebastian bach”. At runtime, there will be a market “en-US” and a query of “microsoft” and a query of “johann sebastian bach”. Likewise, there will be a market of “en-GB” and a query of “microsoft” and a query of “johann sebastian bach”.

Behavior Collection Initial Phase

Consider now a behavior collection initial phase. Specifically, now that a MTX and MDD have been established, we can describe what a behavior is and how one is collected. We are looking at a MDD in a specific context triggered by MTX. Then we can express the MDD in a specific context by MDD(MTX)={O(i,C(j)), with i=1 . . . n,j=1 . . . m} where O(i,C(j))={(F(i,C(j)) with i=1 . . . n,j=1 . . . m} than by replacement in the first expression we have MDD(MTX)={F(i,C(j)), with i=1 . . . n,j=1 . . . m}.

So now if a finite time period is defined as T={t(1), . . . t(k)} and we collect a feature one for a specific context one over this time period, then this will appear as follows: F(1,C(1),T)={A(i,C(1),t(j)), with i=1 . . . n,j=1 . . . k}

The next step after we have those sets of values (for a feature in a specific context over a time period) is to cluster them using a machine learning hierarchical clustering algorithm (e.g., agglomerative approach).

Looking FIG. 3a , we cluster Set1, Set2, and Set3. So at the end we can say that a behavior for an object feature in a specific context over a time period is a cluster of clusters. Let Custer be CL={Set(i), with i=1 . . . n} and let a cluster of clusters be CLCL={CL(i), with i=1 . . . n}.

Looking at FIG. 3a , if CL1={Set1,Set2} and CL2={Set3} then CLCL1={CL1,CL2}. As an example, consider FIG. 3b which illustrates an example of clustering the set of values from FIG. 3 a.

To conclude, a behavior is a cluster of clusters, computed using the hierarchical clustering algorithm (e.g., agglomerative approach), using data collected for an object feature in specific context over a period of time. This can be expressed as follows: let Behavior be B={CLCL(T)}, where CLCL is the cluster of clusters and T is the time period.

Behavior Collection Exercise Phase

Consider now a behavior collection exercise phase in accordance with one or more embodiments. This phase is actually being collected and computed in the same way as the initial phase (explained above). The only difference here will be the time (T). So if for an initial behavior phase we choose a T={t(i), with i=1 . . . n} then for the exercise phase we have to choose T′={t(j), with j=n+m, . . . k and m>=1 and k>m+n}. In other words there is no overlap between the two time periods. So the only particularity of the exercise phase is the fact that T should not overlap with the T′ from the initial phase. FIG. 3c illustrates this.

The behavior for the exercise phase is shown in FIG. 3d . The sets were collected over a different period of time therefore the cluster of clusters may look different.

It should be noted that the T and T′ from initial and exercise behavior intervals should be equal. We want to have a symmetrical distribution data for each behavior phases. The context is uniformly spread across T, thus if j=i+1 and k=j+1 then t(j)−t(i)=t(k)−t(j) with i,j,k from 1 . . . n.

Computing Behavior Deviations

Consider now the computation of behavior deviations in accordance with one embodiment. That is, with the two phases of behavior explained above, we can go further to compute the behavior deviation. To compute a deviation between two distinct phases of the same behavior, we compute the symmetrical difference between the two clusters of clusters. So a symmetrical difference between:
CLCL(TCLCL(T′)=CLCL(T)UCLCL(T′)−CLCL(T)∩CLCL(T′) (or B(TB(T′)=B(T)UB(T′)−B(T)∩B(T′))
is the actual deviation between the two phases of the same behavior. That is, the symmetrical difference is the union of the two clusters minus the intersection of the two clusters. FIG. 3e illustrates this.

B(T)ΔB(T′) is greater than or equal to zero and less than or equal to one.

A deviation equal to zero means no change in behavior; consequently a value equal to one means that the behavior has totally changed. Now a decision can be made as to what this deviation means, whether it is an issue or not, and if it is an issue, what kind of issue (e.g., security, regular regression, privacy).

By collecting behavior deviations, classifying them, and making the system remember them, issues can be found including security, regular regression, privacy issues. The testing coverage is highly improved, will not be highly human dependent as time goes by, and will learn as well as be able to identify unknown issues.

FIG. 3f is a flow diagram that describes steps in behavior change detection method in accordance with one or more embodiments. The method can be implemented in connection with any suitable hardware, software, firmware, or combination thereof.

Step 320 collects data associated with an initial behavior phase of a service. Examples of how this can be done are provided above and below. Step 322 collects data associated with an exercised behavior phase of the service. Examples of how this can be done are provided above and below. Step 324 computes a deviation between the initial behavior phase and the exercised behavior phase. Examples of how this can be done are provided above.

FIG. 3g is a flow diagram that describes steps in a behavior change detection method that can be used to implement the method of FIG. 3f in accordance with one or more embodiments. The method can be implemented in connection with any suitable hardware, software, firmware, or combination thereof.

Step 350 constructs a domain metadescriptor. Examples of how this can be done are provided above. Step 352 constructs a matrix execution to place the domain metadescriptor in a specific context. Step 354 collects an initial behavior using the domain metadescriptor in a specific context triggered by the matrix execution. Step 356 collects exercised behavior using the domain metadescriptor in a specific context triggered by the matrix execution. Step 358 computes a deviation between the initial behavior and the exercised behavior.

Having considered how a recognizer can be trained and deployed for use, and how behavior change analysis can be conducted, consider now a discussion of an example overall process for connecting various processing modules and performing operational evaluation, including continued training using machine learning techniques.

In Operation

The following discussion describes an iterative process through which security events can be recognized by a recognizer, and machine learning techniques can be employed to automatically and continuously enable the recognizer to further learn how to recognize security events.

In the discussion that follows, both FIGS. 4 and 5 are utilized. FIG. 4 describes the iterative process from the standpoint of the initial deployment of the recognizer, and FIG. 5 describes how the recognizer can be further trained or “boosted.” For purposes of the discussion and because of spacing constraints, the names of the individual elements or modules have been removed. However, the corresponding numerical designators for each element have been carried through from the previous discussion.

Referring to FIG. 4, initial training occurs through the use of what is referred to as the initial ground truth for training data. The initial ground truth includes data that describes, for a particular online service, behaviors that appear to be normal and behaviors that appear to be not normal. This data can be developed over time and can be iteratively boosted by subsequent machine learning techniques, as will become apparent below. This data can reside in the form of both usage data and operational data as described above.

Training of the recognizer 212 using the initial ground truth takes place essentially as described above. Once initially trained, the recognizer can be deployed as indicated by the arrow extending from the trained model event recognizer 306 to the rightmost recognizer 212.

Referring now to FIG. 5, the deployed recognizer, i.e. the left-most recognizer 212, is ready to take part in the iterative, machine learning process. In operation, when the recognizer 212 is online, it receives usage data 208 and operational data 210 and processes the data as described above. Specifically, the usage data 208 and operational data 210 are processed to produce recognized bad traffic or recognized events.

The system then employs an evaluation and scoring process during which time the recognized bad traffic is evaluated and scored for purposes of further honing the system's ability to recognize bad traffic. In this example, the evaluation and scoring process is represented by an arrow that extends from the leftmost recognized bad traffic 214 to a scoring table 500. Each instance of recognized bad traffic is scored as either a “true positive”, “true negative”, “false positive”, or “false negative”.

As will be appreciated by the skilled artisan, “true positives” and “true negatives” are instances where the system is behaving as intended. That is to say, the system is correctly identifying and recognizing bad traffic and not recognizing traffic that is not bad traffic. The instances in which the evaluation and scoring process identifies a “false positive” or a “false negative” constitute instances in which an iterative learning process can be employed to further boost the accuracy with which the system can identify security threats.

Specifically, a “false positive” is a situation in which traffic was identified as bad but, in fact, the traffic was not bad. A “false negative” is a situation in which something should have been identified as bad traffic but was not identified as bad traffic. In both of these instances, an action is taken to boost the ground truth by providing this information back to the recognizer in the form of additional ground truth training data—both usage data and operational data—that can further be processed by the system. This data is also used as validation data for the user traffic module 204. The result of using this additional training data is that the deployed recognizer can be boosted as indicated by the arrow extending from the trained model event recognizer 306 to the leftmost recognizer 212.

This process can continue automatically to develop additional training data that is fed back into the system for both training and validation which, in turn, increases the effectiveness with which the recognizer can perform its operations.

Relating the System to the Schema

Earlier, the notion of a schema was introduced to describe data that is processed by the system as described above. The following discussion relates the schema to the system that was just described above. Similar to the manner in which FIGS. 4 and 5 were discussed, FIGS. 6 and 7 are now provided. Also provided is a table 600 that includes a mapping of numbers to schema elements. These numbers are then encircled and provided onto the diagrams in each figure to show where in the process, data of the schema elements is utilized.

Beginning with FIG. 6, metadata (01 d and 02 d) associated with usage data and operational data, respectively, is utilized to describe usage data (01) and operational data (02) respectively. The usage data and operational data are processed by their respective volatility processors 300, 302 to produce, respectively, usage volatility (03) and operational volatility (04) time series, as described above. These time series are processed by the time series streams correlator 304 to produce a feature stream (05). The feature stream captures the unified and correlated aggregation of both usage volatility and operational volatility in the time series bounded to pre-defined intervals such as, by way of example and not limitation, days, hours, minutes, seconds, milliseconds, and the like. The feature stream is processed by the trained model event recognizer 306 to produce recognized events (06), referred to as “bad traffic” in the above description.

Shifting now to FIG. 7, the recognized events (06) undergo an evaluation and scoring process to produce recognition scoring data (07) in which the recognized events are scored against the labeled ground truth. The process then continues as described above. That is, the recognizer can be boosted through machine learning techniques that employ identified false positives and false negatives to improve the system's ability to identify bad traffic or recognized events.

Example Methods

FIG. 8 is a flow diagram that describes steps in a training method used to train a recognizer in accordance with one or more embodiments. The method can be implemented in connection with any suitable hardware, software, firmware, and the like. In at least some embodiments, the method or aspects thereof can be implemented by a suitably-configured recognizer, such as the recognizers described above.

Step 800 produces usage data associated with an online service. Step 802 produces operational data associated with the online service. Steps 800 and 802 can be performed in any suitable way. For example, in at least some embodiments, usage and operational data are produced by observing how users interact with the online service. As noted above, this can include both good and bad interactions. In addition, usage and operational data can be produced from synthetic attack patterns that are processed by the online service. Examples of synthetic attack patterns are provided above. Data produced by steps 800 and 802 can be produced in parallel.

Step 804 processes the usage data and the operational data to produce a measure of behavioral changes over time. This step can be performed in any suitable way. For example, in the embodiments described above, volatility processors process the usage data and operational data, respectively, to produce a quantified measure that is correlated to the deviation of behavioral change over time. Step 806 correlates behavioral changes of the usage data and the operational data. Examples of how this can be done are provided above. The usage data and operational data can be processed in parallel.

Step 808 processes the correlated behavioral changes to recognize one or more events in which usage and operational behavioral changes deviate from historical data.

FIG. 9 is a flow diagram that describes steps in a method in which a trained recognizer, through machine learning techniques, can be continuously and automatically boosted to more effectively identify bad traffic or recognized events, in accordance with one or more embodiments. The method can be implemented in connection with any suitable hardware, software, firmware, and the like. In at least some embodiments, the method or aspects thereof can be implemented by a suitably-configured recognizer, such as the recognizer's described above.

Step 900 provides a recognizer that has been trained with usage data and operational data. An example of how this can be done is provided above. Step 902 processes received usage data and operational data to recognize one or more events in which usage and operational behavioral changes deviate from historical data. An example of how this can be done is provided above. Specifically, with respect to the method described in FIG. 8, one way in which this step can be performed is through the combination of steps 804, 806, and 808.

Step 904 scores the recognized events to identify false positives and false negatives. Examples of how this can be done are provided above. Step 906 uses the false positives and false negatives to further train the recognizer. Examples of how this can be done are provided above. The method can then return to step 902 to continue receiving and processing usage and operational data as described above.

Example Device

FIG. 10 illustrates various components of an example device 1000 that can be implemented as any type of portable and/or computer device to implement the embodiments described herein. Device 1000 includes communication devices 1002 that enable wired and/or wireless communication of device data 1004 (e.g., received data, data that is being received, data scheduled for broadcast, data packets of the data, etc.). The device data 1004 or other device content can include configuration settings of the device, media content stored on the device, and/or information associated with a user of the device. Media content stored on device 1000 can include any type of audio, video, and/or image data. Device 1000 includes one or more data inputs 1006 via which any type of data, media content, and/or inputs can be received, such as user-selectable inputs, messages, music, television media content, recorded video content, and any other type of audio, video, and/or image data received from any content and/or data source.

Device 1000 also includes communication interfaces 1008 that can be implemented as any one or more of a serial and/or parallel interface, a wireless interface, any type of network interface, a modem, and as any other type of communication interface. The communication interfaces 1008 provide a connection and/or communication links between device 1000 and a communication network by which other electronic, computing, and communication devices communicate data with device 1000.

Device 1000 includes one or more processors 1010 (e.g., any of microprocessors, controllers, and the like) which process various computer-executable or readable instructions to control the operation of device 1000 and to implement the embodiments described above. Alternatively or in addition, device 1000 can be implemented with any one or combination of hardware, firmware, or fixed logic circuitry that is implemented in connection with processing and control circuits which are generally identified at 1012. Although not shown, device 1000 can include a system bus or data transfer system that couples the various components within the device. A system bus can include any one or combination of different bus structures, such as a memory bus or memory controller, a peripheral bus, a universal serial bus, and/or a processor or local bus that utilizes any of a variety of bus architectures.

Device 1000 also includes computer-readable media 1014, such as one or more memory components, examples of which include random access memory (RAM), non-volatile memory (e.g., any one or more of a read-only memory (ROM), flash memory, EPROM, EEPROM, etc.), and a disk storage device. A disk storage device may be implemented as any type of magnetic or optical storage device, such as a hard disk drive, a recordable and/or rewriteable compact disc (CD), any type of a digital versatile disc (DVD), and the like. Device 1000 can also include a mass storage media device 1016.

Computer-readable media 1014 provides data storage mechanisms to store the device data 1004, as well as various device applications 1018 and any other types of information and/or data related to operational aspects of device 1000. For example, an operating system 1020 can be maintained as a computer application with the computer-readable media 1014 and executed on processors 1010. The device applications 1018 can include a device manager (e.g., a control application, software application, signal processing and control module, code that is native to a particular device, a hardware abstraction layer for a particular device, etc.), as well as other applications that can include, web browsers, image processing applications, communication applications such as instant messaging applications, word processing applications and a variety of other different applications. The device applications 1018 also include any system components or modules to implement embodiments of the techniques described herein. In this example, the device applications 1018 can include recognizer 1022 that operates as described above.

Device 1000 also includes an audio and/or video input-output system 1024 that provides audio data to an audio system 1026 and/or provides video data to a display system 1028. The audio system 1026 and/or the display system 1028 can include any devices that process, display, and/or otherwise render audio, video, and image data. Video signals and audio signals can be communicated from device 1000 to an audio device and/or to a display device via an RF (radio frequency) link, S-video link, composite video link, component video link, DVI (digital video interface), analog audio connection, or other similar communication link. In an embodiment, the audio system 1026 and/or the display system 1028 are implemented as external components to device 1000. Alternatively, the audio system 1026 and/or the display system 1028 are implemented as integrated components of example device 1000.

Example Implementations

Example implementations of behavior change detection system for services described herein include, but are not limited to, one or any combination of one or more of the following example:

A method implemented by a computing device comprising: collecting data associated with an initial behavior phase of a service; collecting data associated with an exercised behavior phase of the service; and computing (324) a deviation between the initial behavior phase and the exercised behavior phase.

A method as described above, wherein the service comprises an online service.

A method as described above, wherein collecting data associated with the initial behavior phase comprises using a domain metadescriptor in a specific context triggered by a matrix execution.

A method as described above, wherein collecting data associated with the exercised behavior phase comprises using a domain metadescriptor in a specific context triggered by a matrix execution.

A method as described above, wherein collecting data associated with the initial behavior phase comprises using a domain metadescriptor in a specific context triggered by a matrix execution; and wherein collecting data associated with the exercised behavior phase comprises using the domain metadescriptor in a specific context triggered by the matrix execution.

A method as described above, wherein the domain metadescriptor is a collection of objects described in an independent context.

A method as described above, wherein the domain metadescriptor includes an extractor that extracts specific objects from a page and a collection of features which define what a behavior means.

A method as described above, wherein the matrix execution describes an object context generator.

A method as described above, wherein collecting data associated with the initial behavior phase and collecting data associated with the exercised behavior phase are performed over different finite time periods having the same length.

A method as described above, wherein collecting data associated with the initial behavior phase defines a set of values and wherein collecting data associated with the exercised behavior phase defines another set of values and further comprising clustering both sets of values into respective clusters.

A method as described above, wherein said clustering both sets of values comprises using a machine learning hierarchical clustering algorithm.

A computing device comprising: one or more processors; one or more computer readable storage media storing computer readable instructions which, when executed, perform operations comprising: constructing a domain metadescriptor; constructing a matrix execution to place the domain metadescriptor in a specific context; collecting an initial behavior using the domain metadescriptor in a specific context triggered by the matrix execution; collecting an exercised behavior using the domain metadescriptor in the specific context triggered by the matrix execution; and computing (358) a deviation between the initial behavior and the exercised behavior.

The computing device described above, wherein collecting an initial behavior phase defines a set of values and wherein collecting the exercised behavior phase defines another set of values and further comprising clustering both sets of values into respective clusters.

The computing device described above, wherein said clustering both sets of values comprises using a machine learning hierarchical clustering algorithm.

The computing device described above, wherein computing the deviation comprises computing asymmetrical difference between the respective clusters.

The computing device described above, wherein computing the deviation comprises computing the union of the respective clusters minus the intersection of the respective clusters.

The computing device described above, wherein the initial behavior and the exercised behavior are associated with a service.

The computing device described above, wherein the initial behavior and the exercised behavior are associated with an online service.

The computing device described above, wherein computing the deviation comprises computing asymmetrical difference between the respective clusters.

The computing device described above, wherein computing the deviation comprises computing the union of the respective clusters minus the intersection of the respective clusters.

CONCLUSION

Various embodiments provide an approach to classifying security events based on the concept of behavior change detection or “volatility.” Behavior change detection is utilized, in place of a pre-defined patterns approach, to look at a system's behavior and detect any variances from what would otherwise be normal operating behavior. In operation, machine learning techniques are utilized as an event classification mechanism which facilitates implementation scalability. The machine learning techniques are iterative and continue to learn over time. Operational scalability issues are addressed by using the computed volatility of the events in a time series as input for a classifier. During a learning process (i.e., the machine learning process), the system identifies relevant features that are affected by security incidents. When in operation, the system evaluates those features in real-time and provides a probability that an incident is about to occur.

In at least some embodiments, a behavior change detection system collects behavior from a service, such as an online service, and detects behavior changes, either permanent or transient, in the service. Machine learning hierarchical (agglomerative) clustering techniques are utilized to compute deviations between clustered data sets representing an “answer” that the service presents to a series of requests.

Although the embodiments have been described in language specific to structural features and/or methodological acts, it is to be understood that the various embodiments defined in the appended claims are not necessarily limited to the specific features or acts described. Rather, the specific features and acts are disclosed as example forms of implementing the various embodiments.

Claims (14)

What is claimed is:
1. A computer-implemented method comprising:
collecting, via a hardware processor, using a domain metadescriptor in a specific context triggered by a matrix execution, first data associated with an initial behavior phase of a service defining a first set of values;
collecting, via the hardware processor, using the domain metadescriptor in the specific context triggered by the matrix execution, second data associated with an exercised behavior phase of the service defining a second set of values;
clustering the first and second sets of values into respective clusters using a machine learning hierarchical clustering algorithm; and
computing, via the hardware processor, a deviation between the first data associated with the initial behavior phase and second data associated with the exercised behavior phase of the service based on the respective clusters.
2. The method of claim 1, wherein the service comprises an online service.
3. The method of claim 1, wherein the domain metadescriptor is a collection of objects described in an independent context.
4. The method of claim 3, wherein the domain metadescriptor includes an extractor that extracts specific objects from a page and a collection of features which define what a behavior means.
5. The method of claim 1, wherein the matrix execution describes an object context generator.
6. The method of claim 1, wherein collecting the first data associated with the initial behavior phase and collecting the second data associated with the exercised behavior phase are performed over different finite time periods having a same length.
7. The method of claim 1, wherein computing the deviation comprises computing, via the hardware processor, an asymmetrical difference between the respective clusters.
8. The method of claim 1, computing the deviation comprises computing, via the hardware processor, a union of the respective clusters minus an intersection of the respective clusters.
9. A computing device comprising:
one or more hardware processors;
one or more computer readable storage media storing computer readable instructions which, when executed on the hardware processors, cause the one or more hardware processors to:
construct a domain metadescriptor;
construct a matrix execution to place the domain metadescriptor in a specific context;
collect initial behavior data using the domain metadescriptor in the specific context triggered by the matrix execution defining a first set of values;
collect exercised behavior data using the domain metadescriptor in the specific context triggered by the matrix execution defining a second set of values;
cluster the first and second sets of values into respective clusters using a machine learning hierarchical clustering algorithm; and
compute a deviation between the initial behavior data and the exercised behavior data based on the respective clusters.
10. The computing device of claim 9, wherein computing the deviation comprises computing an asymmetrical difference between the respective clusters.
11. The computing device of claim 9, wherein computing the deviation comprises computing a union of the respective clusters minus an intersection of the respective clusters.
12. The computing device of claim 9, wherein the initial behavior data and the exercised behavior data are associated with a service.
13. The computing device of claim 9, wherein the initial behavior data and the exercised behavior data are associated with an online service.
14. A computer-implemented method, comprising:
constructing, via a hardware processor, a domain metadescriptor;
constructing, via the hardware processor, a matrix execution to place the domain metadescriptor in a specific context;
collecting, via the hardware processor, initial behavior data using the domain metadescriptor in the specific context triggered by the matrix execution defining a first set of values;
collecting, via the hardware processor, exercised behavior data using the domain metadescriptor in the specific context triggered by the matrix execution defining a second set of values;
clustering, via the hardware processor, the first and second sets of values into respective clusters using a machine learning hierarchical clustering algorithm; and
computing, via the hardware processor, a deviation between the initial behavior data and the exercised behavior data based on the respective clusters.
US14519062 2014-07-16 2014-10-20 Behavior change detection system for services Active US9619648B2 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US14333377 US9485263B2 (en) 2014-07-16 2014-07-16 Volatility-based classifier for security solutions
US14519062 US9619648B2 (en) 2014-07-16 2014-10-20 Behavior change detection system for services

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US14519062 US9619648B2 (en) 2014-07-16 2014-10-20 Behavior change detection system for services
PCT/US2015/040086 WO2016010875A1 (en) 2014-07-16 2015-07-13 Behavior change detection system for services

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US14333377 Continuation-In-Part US9485263B2 (en) 2014-07-16 2014-07-16 Volatility-based classifier for security solutions

Publications (2)

Publication Number Publication Date
US20160019387A1 true US20160019387A1 (en) 2016-01-21
US9619648B2 true US9619648B2 (en) 2017-04-11

Family

ID=53758542

Family Applications (1)

Application Number Title Priority Date Filing Date
US14519062 Active US9619648B2 (en) 2014-07-16 2014-10-20 Behavior change detection system for services

Country Status (2)

Country Link
US (1) US9619648B2 (en)
WO (1) WO2016010875A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9485263B2 (en) 2014-07-16 2016-11-01 Microsoft Technology Licensing, Llc Volatility-based classifier for security solutions
US10110622B2 (en) 2015-02-13 2018-10-23 Microsoft Technology Licensing, Llc Security scanner
US20180096157A1 (en) * 2016-10-05 2018-04-05 Microsoft Technology Licensing, Llc Detection of compromised devices via user states

Citations (73)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002023808A2 (en) 2000-09-15 2002-03-21 Cymtec Systems, Inc. Network management system
US20020107960A1 (en) 2001-02-05 2002-08-08 Wetherall David J. Network traffic regulation including consistency based detection and filtering of packets with spoof source addresses
US20020143980A1 (en) 2001-04-03 2002-10-03 Wetherall David J. Independent detection and filtering of undesirable packets
US20030002436A1 (en) 2001-06-20 2003-01-02 Anderson Thomas E. Detecting network misuse
CA2452285A1 (en) 2001-06-27 2003-01-09 Arbor Networks Method and system for monitoring control signal traffic over a computer network
US20030131100A1 (en) 2002-01-08 2003-07-10 Alcatel Offline behavior analysis for online personalization of value added services
EP1348285A2 (en) 2000-10-09 2003-10-01 Asta Networks, Inc. Progressive and distributed regulation of selected network traffic destined for a network node
US20040004941A1 (en) 2002-07-02 2004-01-08 Malan Gerald R. Apparatus and method for managing a provider network
US20040103211A1 (en) 2002-11-21 2004-05-27 Jackson Eric S. System and method for managing computer networks
US20040111708A1 (en) * 2002-09-09 2004-06-10 The Regents Of The University Of California Method and apparatus for identifying similar regions of a program's execution
US20040193918A1 (en) 2003-03-28 2004-09-30 Kenneth Green Apparatus and method for network vulnerability detection and compliance assessment
US20050005017A1 (en) 2003-07-03 2005-01-06 Arbor Networks, Inc. Method and system for reducing scope of self-propagating attack code in network
US20050018602A1 (en) 2003-07-21 2005-01-27 Labovitz Craig H. System and method for correlating traffic and routing information
US20050216956A1 (en) 2004-03-24 2005-09-29 Arbor Networks, Inc. Method and system for authentication event security policy generation
US7058015B1 (en) 2000-08-04 2006-06-06 Arbor Networks, Inc. Distributed solution for regulating network traffic
US7159237B2 (en) 2000-03-16 2007-01-02 Counterpane Internet Security, Inc. Method and system for dynamic network intrusion monitoring, detection and response
US20070094491A1 (en) 2005-08-03 2007-04-26 Teo Lawrence C S Systems and methods for dynamically learning network environments to achieve adaptive security
US20080059544A1 (en) 2006-06-09 2008-03-06 Rick Rahim System and method for providing secure third party website histories
US20080184371A1 (en) 2007-01-29 2008-07-31 Deutsche Telekom Ag method and system for detecting malicious behavioral patterns in a computer, using machine learning
US7424619B1 (en) 2001-10-11 2008-09-09 The Trustees Of Columbia University In The City Of New York System and methods for anomaly detection and adaptive learning
US7475141B1 (en) 2001-07-31 2009-01-06 Arbor Networks, Inc. Distributed service level management for network traffic
US20090168648A1 (en) 2007-12-29 2009-07-02 Arbor Networks, Inc. Method and System for Annotating Network Flow Information
US7603715B2 (en) 2004-07-21 2009-10-13 Microsoft Corporation Containment of worms
US7634812B2 (en) 2004-07-21 2009-12-15 Microsoft Corporation Filter generation
US7634813B2 (en) 2004-07-21 2009-12-15 Microsoft Corporation Self-certifying alert
US20090313699A1 (en) 2008-06-17 2009-12-17 Jang In Sook Apparatus and method for preventing anomaly of application program
US7690037B1 (en) 2005-07-13 2010-03-30 Symantec Corporation Filtering training data for machine learning
US7730531B2 (en) 2005-04-15 2010-06-01 Microsoft Corporation System and method for detection of artificially generated system load
US20100177943A1 (en) 2006-08-11 2010-07-15 Koninklijke Philips Electronics N.V. Methods and apparatus to integrate systematic data scaling into genetic algorithm-based feature subset selection
US7774459B2 (en) 2006-03-01 2010-08-10 Microsoft Corporation Honey monkey network exploration
US7779304B2 (en) * 2007-06-15 2010-08-17 International Business Machines Corporation Diagnosing changes in application behavior based on database usage
US7841007B2 (en) 2002-03-29 2010-11-23 Scanalert Method and apparatus for real-time security verification of on-line services
US20110023115A1 (en) 2009-07-21 2011-01-27 Wright Clifford C Host intrusion prevention system using software and user behavior analysis
US7970886B1 (en) 2000-11-02 2011-06-28 Arbor Networks, Inc. Detecting and preventing undesirable network traffic from being sourced out of a network domain
US8001271B1 (en) 2002-10-21 2011-08-16 Arbor Networks, Inc. Method and apparatus for locating naming discrepancies
US20110283361A1 (en) 2010-01-19 2011-11-17 Damballa, Inc. Method and system for network-based detecting of malware from behavioral clustering
US20110296002A1 (en) 2010-05-28 2011-12-01 Arbor Networks, Inc. Stateful Flow Information Table Method and System for Packet Inspection System
US8112546B2 (en) 2009-02-13 2012-02-07 Microsoft Corporation Routing users to receive online services based on online behavior
US20120047248A1 (en) 2010-08-20 2012-02-23 Arbor Networks, Inc. Method and System for Monitoring Flows in Network Traffic
US8136029B2 (en) 2008-07-25 2012-03-13 Hewlett-Packard Development Company, L.P. Method and system for characterising a web site by sampling
US20120096551A1 (en) 2010-10-13 2012-04-19 National Taiwan University Of Science And Technology Intrusion detecting system and method for establishing classifying rules thereof
US20120222119A1 (en) 2008-05-08 2012-08-30 Lawrence Brent Huston Active computer system defense technology
US8266698B1 (en) 2009-03-09 2012-09-11 Symantec Corporation Using machine infection characteristics for behavior-based detection of malware
US8291499B2 (en) 2004-04-01 2012-10-16 Fireeye, Inc. Policy based capture with replay to virtual machine
US8312536B2 (en) 2006-12-29 2012-11-13 Symantec Corporation Hygiene-based computer security
US8365290B2 (en) 2009-05-15 2013-01-29 Frederick Young Web application vulnerability scanner
US20130031605A1 (en) 2011-07-28 2013-01-31 Arbor Networks, Inc. Method and Apparatus for Probabilistic Matching to Authenticate Hosts During Distributed Denial of Service Attack
US8370929B1 (en) 2006-09-28 2013-02-05 Whitehat Security, Inc. Automatic response culling for web application security scan spidering process
US8370939B2 (en) 2010-07-23 2013-02-05 Kaspersky Lab, Zao Protection against malware on web resources
US20130055374A1 (en) 2011-08-29 2013-02-28 Arbor Networks, Inc. System and Method for Denial of Service Attack Mitigation Using Cloud Services
US20130055375A1 (en) 2011-08-29 2013-02-28 Arbor Networks, Inc. Method and Protection System for Mitigating Slow HTTP Attacks Using Rate and Time Monitoring
US8424072B2 (en) 2010-03-09 2013-04-16 Microsoft Corporation Behavior-based security system
US20130111019A1 (en) 2011-10-28 2013-05-02 Electronic Arts Inc. User behavior analyzer
US20130198119A1 (en) 2012-01-09 2013-08-01 DecisionQ Corporation Application of machine learned bayesian networks to detection of anomalies in complex systems
WO2013113532A1 (en) 2012-01-30 2013-08-08 Telefónica, S.A. A method and a system to detect malicious software
US20130263259A1 (en) 2011-08-29 2013-10-03 Arbor Networks, Inc. Analyzing response traffic to detect a malicious source
US8555391B1 (en) 2009-04-25 2013-10-08 Dasient, Inc. Adaptive scanning
US8566935B2 (en) 2011-05-12 2013-10-22 At&T Intellectual Property I, L.P. Balancing malware rootkit detection with power consumption on mobile devices
US8572735B2 (en) 2007-03-29 2013-10-29 George Mason Research Foundation, Inc. Attack resistant continuous network service trustworthiness controller
US8578494B1 (en) 2011-03-31 2013-11-05 Rockwell Collins, Inc. Security threat detection
US8595837B2 (en) 2011-08-29 2013-11-26 Novell, Inc. Security event management apparatus, systems, and methods
US8595176B2 (en) 2009-12-16 2013-11-26 The Boeing Company System and method for network security event modeling and prediction
US20140059199A1 (en) 2012-08-21 2014-02-27 Microsoft Corporation Transaction-level health monitoring of online services
US20140090061A1 (en) 2012-09-26 2014-03-27 Northrop Grumman Systems Corporation System and method for automated machine-learning, zero-day malware detection
US20140113588A1 (en) 2012-10-18 2014-04-24 Deutsche Telekom Ag System for detection of mobile applications network behavior- netwise
US20140149312A1 (en) 2012-11-28 2014-05-29 Td Ameritrade Ip Company, Inc. Systems and methods for determining a quantitative retail sentiment index from client behavior
US20140149806A1 (en) 2011-04-13 2014-05-29 BAR-ILAN UNIVERSITY a University Anomaly detection methods, devices and systems
US20140317734A1 (en) 2012-08-15 2014-10-23 Qualcomm Incorporated Adaptive Observation of Behavioral Features on a Mobile Device
US20150106927A1 (en) 2013-10-14 2015-04-16 Ut-Battelle, Llc Real-time detection and classification of anomalous events in streaming data
US9083729B1 (en) 2013-01-15 2015-07-14 Symantec Corporation Systems and methods for determining that uniform resource locators are malicious
US20150286820A1 (en) 2014-04-08 2015-10-08 Qualcomm Incorporated Method and System for Inferring Application States by Performing Behavioral Analysis Operations in a Mobile Device
US20150304349A1 (en) 2014-04-16 2015-10-22 Cyber-Ark Software Ltd. Anomaly detection in groups of network addresses
US20160021124A1 (en) 2014-07-16 2016-01-21 Microsoft Corporation Volatility-based Classifier for Security Solutions

Patent Citations (100)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7159237B2 (en) 2000-03-16 2007-01-02 Counterpane Internet Security, Inc. Method and system for dynamic network intrusion monitoring, detection and response
US7058015B1 (en) 2000-08-04 2006-06-06 Arbor Networks, Inc. Distributed solution for regulating network traffic
WO2002023808A2 (en) 2000-09-15 2002-03-21 Cymtec Systems, Inc. Network management system
EP1348285A2 (en) 2000-10-09 2003-10-01 Asta Networks, Inc. Progressive and distributed regulation of selected network traffic destined for a network node
US6801503B1 (en) 2000-10-09 2004-10-05 Arbor Networks, Inc. Progressive and distributed regulation of selected network traffic destined for a network node
US20050018608A1 (en) 2000-10-09 2005-01-27 Arbor Networks, Inc. Progressive and distributed regulation of selected network traffic destined for a network node
US7970886B1 (en) 2000-11-02 2011-06-28 Arbor Networks, Inc. Detecting and preventing undesirable network traffic from being sourced out of a network domain
US7444404B2 (en) 2001-02-05 2008-10-28 Arbor Networks, Inc. Network traffic regulation including consistency based detection and filtering of packets with spoof source addresses
US20020107960A1 (en) 2001-02-05 2002-08-08 Wetherall David J. Network traffic regulation including consistency based detection and filtering of packets with spoof source addresses
US20020143980A1 (en) 2001-04-03 2002-10-03 Wetherall David J. Independent detection and filtering of undesirable packets
US8271678B2 (en) 2001-04-03 2012-09-18 Arbor Networks, Inc. Independent detection and filtering of undesirable packets
WO2003001333A2 (en) 2001-06-20 2003-01-03 Arbor Networks, Inc., Detecting network misuse
US20030002436A1 (en) 2001-06-20 2003-01-02 Anderson Thomas E. Detecting network misuse
US8509086B2 (en) 2001-06-20 2013-08-13 Arbor Networks, Inc. Detecting network misuse
GB2393607A (en) 2001-06-27 2004-03-31 Arbor Networks Method and a system for monitoring control signal traffic over a computer network
US7844696B2 (en) 2001-06-27 2010-11-30 Arbor Networks, Inc. Method and system for monitoring control signal traffic over a computer network
CA2452285A1 (en) 2001-06-27 2003-01-09 Arbor Networks Method and system for monitoring control signal traffic over a computer network
US8549139B2 (en) 2001-06-27 2013-10-01 Arbor Networks Method and system for monitoring control signal traffic over a computer network
US20030037136A1 (en) 2001-06-27 2003-02-20 Labovitz Craig H. Method and system for monitoring control signal traffic over a computer network
WO2003003210A2 (en) 2001-06-27 2003-01-09 Arbor Networks Method and system for monitoring control signal traffic over a computer network
US20110296005A1 (en) 2001-06-27 2011-12-01 Arbor Networks Method and system for monitoring control signal traffic over a computer network
US7475141B1 (en) 2001-07-31 2009-01-06 Arbor Networks, Inc. Distributed service level management for network traffic
US7424619B1 (en) 2001-10-11 2008-09-09 The Trustees Of Columbia University In The City Of New York System and methods for anomaly detection and adaptive learning
US20030131100A1 (en) 2002-01-08 2003-07-10 Alcatel Offline behavior analysis for online personalization of value added services
US7841007B2 (en) 2002-03-29 2010-11-23 Scanalert Method and apparatus for real-time security verification of on-line services
US8103755B2 (en) 2002-07-02 2012-01-24 Arbor Networks, Inc. Apparatus and method for managing a provider network
US20040004941A1 (en) 2002-07-02 2004-01-08 Malan Gerald R. Apparatus and method for managing a provider network
US20040111708A1 (en) * 2002-09-09 2004-06-10 The Regents Of The University Of California Method and apparatus for identifying similar regions of a program's execution
US20120124087A1 (en) 2002-10-21 2012-05-17 Arbor Networks Method and apparatus for locating naming discrepancies
US8001271B1 (en) 2002-10-21 2011-08-16 Arbor Networks, Inc. Method and apparatus for locating naming discrepancies
US7359930B2 (en) 2002-11-21 2008-04-15 Arbor Networks System and method for managing computer networks
WO2004049627A2 (en) 2002-11-21 2004-06-10 Arbor Networks System and method for managing computer networks
US8667047B2 (en) 2002-11-21 2014-03-04 Arbor Networks System and method for managing computer networks
US20040103211A1 (en) 2002-11-21 2004-05-27 Jackson Eric S. System and method for managing computer networks
GB2411315A (en) 2002-11-21 2005-08-24 Arbor Networks Inc System and method for managing computer networks
US20040193918A1 (en) 2003-03-28 2004-09-30 Kenneth Green Apparatus and method for network vulnerability detection and compliance assessment
US7596807B2 (en) 2003-07-03 2009-09-29 Arbor Networks, Inc. Method and system for reducing scope of self-propagating attack code in network
US20050005017A1 (en) 2003-07-03 2005-01-06 Arbor Networks, Inc. Method and system for reducing scope of self-propagating attack code in network
WO2005006710A1 (en) 2003-07-03 2005-01-20 Arbor Networks, Inc. Method and system for reducing scope of self-propagating attack code in network
US20050018602A1 (en) 2003-07-21 2005-01-27 Labovitz Craig H. System and method for correlating traffic and routing information
US7529192B2 (en) 2003-07-21 2009-05-05 Arbor Networks System and method for correlating traffic and routing information
US8146160B2 (en) 2004-03-24 2012-03-27 Arbor Networks, Inc. Method and system for authentication event security policy generation
US20050216956A1 (en) 2004-03-24 2005-09-29 Arbor Networks, Inc. Method and system for authentication event security policy generation
US20120167168A1 (en) 2004-03-24 2012-06-28 Arbor Networks, Inc. Method and System for Authentication Event Security Policy Generation
US8291499B2 (en) 2004-04-01 2012-10-16 Fireeye, Inc. Policy based capture with replay to virtual machine
US7634813B2 (en) 2004-07-21 2009-12-15 Microsoft Corporation Self-certifying alert
US7634812B2 (en) 2004-07-21 2009-12-15 Microsoft Corporation Filter generation
US7603715B2 (en) 2004-07-21 2009-10-13 Microsoft Corporation Containment of worms
US7730531B2 (en) 2005-04-15 2010-06-01 Microsoft Corporation System and method for detection of artificially generated system load
US7690037B1 (en) 2005-07-13 2010-03-30 Symantec Corporation Filtering training data for machine learning
US20070094491A1 (en) 2005-08-03 2007-04-26 Teo Lawrence C S Systems and methods for dynamically learning network environments to achieve adaptive security
US7774459B2 (en) 2006-03-01 2010-08-10 Microsoft Corporation Honey monkey network exploration
US20080059544A1 (en) 2006-06-09 2008-03-06 Rick Rahim System and method for providing secure third party website histories
US20100177943A1 (en) 2006-08-11 2010-07-15 Koninklijke Philips Electronics N.V. Methods and apparatus to integrate systematic data scaling into genetic algorithm-based feature subset selection
US8370929B1 (en) 2006-09-28 2013-02-05 Whitehat Security, Inc. Automatic response culling for web application security scan spidering process
US8312536B2 (en) 2006-12-29 2012-11-13 Symantec Corporation Hygiene-based computer security
US20080184371A1 (en) 2007-01-29 2008-07-31 Deutsche Telekom Ag method and system for detecting malicious behavioral patterns in a computer, using machine learning
US8572735B2 (en) 2007-03-29 2013-10-29 George Mason Research Foundation, Inc. Attack resistant continuous network service trustworthiness controller
US7779304B2 (en) * 2007-06-15 2010-08-17 International Business Machines Corporation Diagnosing changes in application behavior based on database usage
US20090168648A1 (en) 2007-12-29 2009-07-02 Arbor Networks, Inc. Method and System for Annotating Network Flow Information
US20120222119A1 (en) 2008-05-08 2012-08-30 Lawrence Brent Huston Active computer system defense technology
US20090313699A1 (en) 2008-06-17 2009-12-17 Jang In Sook Apparatus and method for preventing anomaly of application program
US8136029B2 (en) 2008-07-25 2012-03-13 Hewlett-Packard Development Company, L.P. Method and system for characterising a web site by sampling
US8112546B2 (en) 2009-02-13 2012-02-07 Microsoft Corporation Routing users to receive online services based on online behavior
US8266698B1 (en) 2009-03-09 2012-09-11 Symantec Corporation Using machine infection characteristics for behavior-based detection of malware
US8555391B1 (en) 2009-04-25 2013-10-08 Dasient, Inc. Adaptive scanning
US8365290B2 (en) 2009-05-15 2013-01-29 Frederick Young Web application vulnerability scanner
US20110023115A1 (en) 2009-07-21 2011-01-27 Wright Clifford C Host intrusion prevention system using software and user behavior analysis
US8595176B2 (en) 2009-12-16 2013-11-26 The Boeing Company System and method for network security event modeling and prediction
US20110283361A1 (en) 2010-01-19 2011-11-17 Damballa, Inc. Method and system for network-based detecting of malware from behavioral clustering
US8424072B2 (en) 2010-03-09 2013-04-16 Microsoft Corporation Behavior-based security system
US8463901B2 (en) 2010-05-28 2013-06-11 Arbor Networks, Inc. Stateful flow information table method and system for packet inspection system
US20110296002A1 (en) 2010-05-28 2011-12-01 Arbor Networks, Inc. Stateful Flow Information Table Method and System for Packet Inspection System
US8370939B2 (en) 2010-07-23 2013-02-05 Kaspersky Lab, Zao Protection against malware on web resources
US20120047248A1 (en) 2010-08-20 2012-02-23 Arbor Networks, Inc. Method and System for Monitoring Flows in Network Traffic
US20120096551A1 (en) 2010-10-13 2012-04-19 National Taiwan University Of Science And Technology Intrusion detecting system and method for establishing classifying rules thereof
US8578494B1 (en) 2011-03-31 2013-11-05 Rockwell Collins, Inc. Security threat detection
US20140149806A1 (en) 2011-04-13 2014-05-29 BAR-ILAN UNIVERSITY a University Anomaly detection methods, devices and systems
US8566935B2 (en) 2011-05-12 2013-10-22 At&T Intellectual Property I, L.P. Balancing malware rootkit detection with power consumption on mobile devices
US20130031605A1 (en) 2011-07-28 2013-01-31 Arbor Networks, Inc. Method and Apparatus for Probabilistic Matching to Authenticate Hosts During Distributed Denial of Service Attack
US8661522B2 (en) 2011-07-28 2014-02-25 Arbor Networks, Inc. Method and apparatus for probabilistic matching to authenticate hosts during distributed denial of service attack
US20130263259A1 (en) 2011-08-29 2013-10-03 Arbor Networks, Inc. Analyzing response traffic to detect a malicious source
US20130055374A1 (en) 2011-08-29 2013-02-28 Arbor Networks, Inc. System and Method for Denial of Service Attack Mitigation Using Cloud Services
US20130055375A1 (en) 2011-08-29 2013-02-28 Arbor Networks, Inc. Method and Protection System for Mitigating Slow HTTP Attacks Using Rate and Time Monitoring
US8595837B2 (en) 2011-08-29 2013-11-26 Novell, Inc. Security event management apparatus, systems, and methods
WO2013032774A1 (en) 2011-08-29 2013-03-07 Arbor Networks, Inc. System and method for denial of service attack mitigation using cloud services
WO2013032775A1 (en) 2011-08-29 2013-03-07 Arbor Networks, Inc. Method and protection system for mitigating slow http attacks using rate and time monitoring
US20130111019A1 (en) 2011-10-28 2013-05-02 Electronic Arts Inc. User behavior analyzer
US20130198119A1 (en) 2012-01-09 2013-08-01 DecisionQ Corporation Application of machine learned bayesian networks to detection of anomalies in complex systems
WO2013113532A1 (en) 2012-01-30 2013-08-08 Telefónica, S.A. A method and a system to detect malicious software
US20140317734A1 (en) 2012-08-15 2014-10-23 Qualcomm Incorporated Adaptive Observation of Behavioral Features on a Mobile Device
US20140059199A1 (en) 2012-08-21 2014-02-27 Microsoft Corporation Transaction-level health monitoring of online services
US20140090061A1 (en) 2012-09-26 2014-03-27 Northrop Grumman Systems Corporation System and method for automated machine-learning, zero-day malware detection
US20140113588A1 (en) 2012-10-18 2014-04-24 Deutsche Telekom Ag System for detection of mobile applications network behavior- netwise
US20140149312A1 (en) 2012-11-28 2014-05-29 Td Ameritrade Ip Company, Inc. Systems and methods for determining a quantitative retail sentiment index from client behavior
US9083729B1 (en) 2013-01-15 2015-07-14 Symantec Corporation Systems and methods for determining that uniform resource locators are malicious
US20150106927A1 (en) 2013-10-14 2015-04-16 Ut-Battelle, Llc Real-time detection and classification of anomalous events in streaming data
US20150286820A1 (en) 2014-04-08 2015-10-08 Qualcomm Incorporated Method and System for Inferring Application States by Performing Behavioral Analysis Operations in a Mobile Device
US20150304349A1 (en) 2014-04-16 2015-10-22 Cyber-Ark Software Ltd. Anomaly detection in groups of network addresses
US20160021124A1 (en) 2014-07-16 2016-01-21 Microsoft Corporation Volatility-based Classifier for Security Solutions

Non-Patent Citations (29)

* Cited by examiner, † Cited by third party
Title
"International Search Report & Written Opinion Issued in PCT Application No. PCT/US2015/040086", Mailed Date: Oct. 21, 2015, 12 Pages.
Broadwell, "Response Time as a Performability Metric for Online Services", Technical Report No. UCB//CSD-04-1324, May 2004, 54 pages.
Brown, "Working with SEC-The Simple Event Correlator", Retrieved From: <http://simple-evcorr.sourceforge.net/SEC-tutorial/article.html> Apr. 24, 2014, Nov. 23, 2003, 29 Pages.
Brown, "Working with SEC-the Simple Event Correlator, Part Two", Retrieved From: <http://simple-evcorr.sourceforge.net/SEC-tutorial/article-part2.html> Apr. 24, 2014, Jul. 24, 2004, 27 Pages.
Brown, "Working with SEC—the Simple Event Correlator, Part Two", Retrieved From: <http://simple-evcorr.sourceforge.net/SEC-tutorial/article-part2.html> Apr. 24, 2014, Jul. 24, 2004, 27 Pages.
Brown, "Working with SEC—The Simple Event Correlator", Retrieved From: <http://simple-evcorr.sourceforge.net/SEC-tutorial/article.html> Apr. 24, 2014, Nov. 23, 2003, 29 Pages.
Chavan, et al., "Adaptive Neuro-Fuzzy Intrusion Detection Systems", Proceedings of the International Conference on Information Technology: Coding and Computing, vol. 1, Apr. 5, 2004, 5 pages.
Dass, et al., "LIDS: Learning Intrusion Detection System", Proceedings of the Sixteenth International Florida Artificial Intelligence Research Society Conference, May 12, 2003, pp. 12-16.
Dedhia,"Bitdefender 60-Second Virus Scanner Review", Retrieved From: <http://www.blogsdna.com/20005/bitdefender-60-second-virus-scanner.htm> Mar. 11, 2015, Jan. 3, 2013, 5 pages.
Mukkamala, et al., "Intrusion Detection Using Neural Networks and Support Vector Machines", in Proceedings: The International Joint Conference on Neural Networks, vol. 2, May 12, 2002, pp. 1702-1707.
Office action for U.S. Appl. No. 14/333,377, mailed on Jan. 21, 2016, Sol et al., "Volatility-based Classifier for Security Solutions", 13 pages.
PCT Search Report and Written Opinion mailed Oct. 21, 2015 for PCT application No. PCT/US2015/040083, 12 pages.
Reavey, et al., "Operational Security for Online Services Overview", Available at: <http://download.microsoft.com/download/9/D/B/9DBA2020-5E81-4A54-8C5D-4938B0FAE042/Operational-Security-for-Online-Services-Overview.pdf>, Oct. 21, 2013, 10 Pages.
Rouillard, "Real-Time Log File Analysis using the Simple Event Correlator (SEC)", in Proceedings of the 18th USENIX conference on System Administration, Nov. 14, 2004, 18 Pages.
Said Assar, A Behavioral Perspective in Meta-modeling, Jul. 2011. *
Stroeh, et al., "An Approach to the Correlation of Security Events based on Machine Learning Techniques", Available at: <http://download.springer.com/static/pdf/373/art%253A10.1186%252F1869-0238-4-7.pdf?auth66=1398335730-1698f19e7e31ee8e249648320b49dba7&ext=.pdf>, Mar. 2013, 16 Pages.
Stroeh, et al., "An Approach to the Correlation of Security Events based on Machine Learning Techniques", Available at: <http://download.springer.com/static/pdf/373/art%253A10.1186%252F1869-0238-4-7.pdf?auth66=1398335730—1698f19e7e31ee8e249648320b49dba7&ext=.pdf>, Mar. 2013, 16 Pages.
Terran Lane; "Machine Learning Techniques for the Domain of Anomaly Detection for Computer Security" Purdue University, Jul. 16, 1998. *
Turnbull, "Hardening Linux-Understanding Logging and Monitoring", in Proceedings: Apress, 1 edition, Jan. 25, 2005, 48 Pages.
Turnbull, "Hardening Linux—Understanding Logging and Monitoring", in Proceedings: Apress, 1 edition, Jan. 25, 2005, 48 Pages.
Vaarandi, "SEC-A Lightweight Event Correlation Tool", in Proceedings: IEEE Workshop on IP Operations and Management, Oct. 29, 2002, 5 Pages.
Vaarandi, "SEC-Simple Event Correlator", Retrieved From: <http://simple-evcorr.sourceforge.net/> Apr. 22, 2014, Jan. 15, 2014, 2 pages.
Vaarandi, "Simple Event Correlator for Real-Time Security Log Monitoring", in Proceedings: Hakin9 Magazine, Jan. 1, 2006, 4 Pages.
Vaarandi, "SLCT-Simple Logfile Clustering Tool", Retrieved From: <http://ristov.users.sourceforge.net/slct/> Apr. 24, 2014, Jan. 20, 2010, 1.
Vaarandi, "SEC—A Lightweight Event Correlation Tool", in Proceedings: IEEE Workshop on IP Operations and Management, Oct. 29, 2002, 5 Pages.
Vaarandi, "SEC—Simple Event Correlator", Retrieved From: <http://simple-evcorr.sourceforge.net/> Apr. 22, 2014, Jan. 15, 2014, 2 pages.
Vaarandi, "SLCT—Simple Logfile Clustering Tool", Retrieved From: <http://ristov.users.sourceforge.net/slct/> Apr. 24, 2014, Jan. 20, 2010, 1.
Vaarandi, et al., "Security Event Processing with Simple Event Correlator", in Proceedings: Journal of ISSA, Aug. 2012, 8 pages.
Ye, "A Markov Chain Model of Temporal Behavior for Anomaly Detection", in Proceedings: The IEEE Workshop on Information Assurance and Security, Jun. 6, 2000, 4 Pages.

Also Published As

Publication number Publication date Type
US20160019387A1 (en) 2016-01-21 application
WO2016010875A1 (en) 2016-01-21 application

Similar Documents

Publication Publication Date Title
Begoli et al. Design Principles for Effective Knowledge Discovery from Big Data.
Ribeiro et al. Why should i trust you?: Explaining the predictions of any classifier
Rzeszotarski et al. Instrumenting the crowd: using implicit behavioral measures to predict task performance
US20130263019A1 (en) Analyzing social media
US20100192222A1 (en) Malware detection using multiple classifiers
US20130198203A1 (en) Bot detection using profile-based filtration
Scandariato et al. Predicting vulnerable software components via text mining
US8510795B1 (en) Video-based CAPTCHA
US20120011153A1 (en) Improvements in or relating to digital forensics
US20070033188A1 (en) Method and system for extracting web data
US20080140589A1 (en) Active learning framework for automatic field extraction from network traffic
Kolosnjaji et al. Deep learning for classification of malware system call sequences
US20100074125A1 (en) Discovering communication rules in a network trace
Lou et al. Mining dependency in distributed systems through unstructured logs analysis
US20150047034A1 (en) Composite analysis of executable content across enterprise network
Mohaisen et al. Amal: High-fidelity, behavior-based automated malware analysis and classification
US20120158724A1 (en) Automated web page classification
US20100106671A1 (en) Comprehensive Human Computation Framework
US20150293917A1 (en) Confidence Ranking of Answers Based on Temporal Semantics
Linares-Vásquez et al. On using machine learning to automatically classify software applications into domain categories
US20070100851A1 (en) System and method for collaborative analysis of data streams
US20160041894A1 (en) Structured logging and instrumentation framework
Prasetyo et al. Automatic classification of software related microblogs
US20110218947A1 (en) Ontological categorization of question concepts from document summaries
Hasheminejad et al. Design patterns selection: An automatic two-phase method

Legal Events

Date Code Title Description
AS Assignment

Owner name: MICROSOFT CORPORATION, WASHINGTON

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:SOL, ALISSON AUGUSTO SOUZA;BOIA, DRAGOS D.;MARKEY, BARRY;AND OTHERS;SIGNING DATES FROM 20141021 TO 20141022;REEL/FRAME:034032/0434

AS Assignment

Owner name: MICROSOFT TECHNOLOGY LICENSING, LLC, WASHINGTON

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MICROSOFT CORPORATION;REEL/FRAME:034819/0001

Effective date: 20150123